Arch Linux Security Advisory ASA-201611-21

Severity: Medium
Date : 2016-11-21
CVE-ID : CVE-2016-6866
Package : slock
Type : access restriction bypass
Remote : No
Link : https://wiki.archlinux.org/index.php/CVE

Summary

The package slock before version 1.4-2 is vulnerable to access
restriction bypass.

Resolution

Upgrade to 1.4-2.

pacman -Syu “slock>=1.4-2”

The problem has been fixed upstream in version 1.4.

Workaround

None.

Description

A null pointer dereference vulnerability has been discovered in the
screen locking application slock. It calls crypt(3) and uses the return
value for strcmp(3) without checking to see if the return value of
crypt(3) was a NULL pointer. If the hash returned by
(getspnam()->sp_pwdp) is invalid, crypt(3) will return NULL and set
errno to EINVAL. This will cause slock to segfault which then leaves
the machine unprotected. A couple of common scenarios where this
might happen are:

• a machine using NSS for authentication; on the machine this bug was
  discovered, (getspnam()->sp_pwdp) returns “*”.
• the user’s account has been disabled for one reason or another; maybe
  account expiry or password expiry.

Impact

A local attacker might be able to bypass access restrictions when
locking the screen fails under certain circumstances.

References

http://seclists.org/oss-sec/2016/q3/333
https://access.redhat.com/security/cve/CVE-2016-6866